[squid-users] Buy Certificates for Squid 'man in the middle'

Yuri Voinov yvoinov at gmail.com
Wed Feb 1 21:16:57 UTC 2017


In three words:

Forget about it.

No one in the world permit you to do Man-In-The-Middle-Attack hidden
from users.

CAs in the event of such certificates immediately include it in the list
of untrusted. And you can give up the problems up to prison for a long
time. For violation of the privacy of users. In other words, users
should be aware that there is a proxy hacking HTTPS in front of them.
All other tricks are illegal, at least it is contrary to ethics.

Forget about it.

I'm seriously.

02.02.2017 3:10, Yuri Voinov пишет:
>
>
>
> 02.02.2017 2:58, angelv пишет:
>> Hi,
>>
>> I need your advice.
>>
>> I have a transparent proxy running with the self generated
>> certificates 'myCA.pem', as it is not signed by a valid entity then I
>> have to import the 'myCA.der' certificate in all web browsers ...
>>
>> I want to know where I can buy a valid certificate that work in Squid.
> Nowhere. Due to CA's CPS.
>>
>> PD:
>> The proxy is working great
>>
>>
>> ----------------------------------------------------------------------------------------------
>> Important information for clarity (FreeBSD, squid-3.5.23 and PF):
>>
>> Create self-signed certificate for Squid server
>>
>> # openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509
>> -extensions v3_ca -keyout myCA.pem  -out
>> /usr/local/etc/squid/ssl_cert/myCA.pem -config
>> /usr/local/etc/squid/ssl_cert/openssl.cnf
>>
>> # openssl dhparam -outform PEM -out
>> /usr/local/etc/squid/ssl_cert/dhparam.pem 2048
>>
>> Create a DER-encoded certificate to import into users' browsers
>>
>> # openssl x509 -in /usr/local/etc/squid/ssl_cert/myCA.pem -outform
>> DER -out /usr/local/etc/squid/ssl_cert/myCA.der
>>
>>
>> # edit /usr/local/etc/squid/squid.conf
>> ...
>> # Squid normally listens to port 3128
>> http_port  3128
>>
>> # Intercept HTTPS CONNECT messages with SSL-Bump
>> #
>> http_port  3129 ssl-bump intercept \
>>         cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
>>         generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
>>         dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
>> #
>> https_port 3130 ssl-bump intercept \
>>         cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
>>         generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
>>         dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
>> #
>> sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s
>> /usr/local/etc/squid/ssl_db -M 4MB
>> #
>> acl step1 at_step SslBump1
>> #
>> ssl_bump peek step1
>> ssl_bump stare all
>> ssl_bump bump all
>> always_direct allow all
>> #
>> sslproxy_cert_error allow all
>> sslproxy_flags DONT_VERIFY_PEER
>> ...
>>
>> PF redirect the traffic to the Squid
>>
>> # edit /etc/pf.conf
>> ...
>> # Intercept HTTPS CONNECT messages with SSL-Bump
>> rdr pass on $int_if inet  proto tcp from any to port https \
>>         -> 127.0.0.1 port 3130
>> rdr pass on $int_if inet6 proto tcp from any to port https \
>>         -> ::1 port 3130
>> ...
>> ----------------------------------------------------------------------------------------------
>> -- 
>> Ángel Villa G.
>> US +1 (786) 233-9240 | CO +57 (300) 283-6546
>> angelvg at gmail.com <mailto:angelvg at gmail.com>
>> https://google.com/+AngelVillaG
>> https://angelcontents.blogspot.com
>>
>> "We are all atheists about most of the gods that societies have ever
>> believed in. Some of us just go one god further" - Richard Dawkins
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> -- 
> Bugs to the Future

-- 
Bugs to the Future
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170202/df678027/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170202/df678027/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170202/df678027/attachment-0001.sig>


More information about the squid-users mailing list